One of the commonalities in any kind of data breach—no matter whom, no matter how big or small—is that consumers put their trust in someone and then that trust was violated. Whether it’s turning over your medical records to a hospital or entering your credit card information on a website, we have an expectation that the people in charge will protect us.
Unfortunately, all too often, that trust can be a little misplaced. In this report from a Texas-based news team, even in accidental data breaches consumers have little to no recourse when the people in charge of their identifying information aren’t worthy of controlling it.
As the article states, the Dallas-Ft. Worth CBS I-Team discovered a public records website for Dallas County that contained the names, addresses, phone numbers, Social Security numbers, and more for thousands of area residents. Worse still, this website was maintained by the county courthouse and contained this information on anyone who’d filed court proceedings going back over a decade. In many instances, even children’s identifying information was listed for the entire internet to access.
The story only gets worse, however. The I-Team reached out to the courthouse and was directed to the circuit clerk, who was the only one with the authority to take down the website. The initial clerk response was one of dismay, and the news outlet decided not to immediately make this story public out of fears that identity thieves would flood the system to get the data.
Later, the circuit clerk felt that the danger to the citizens was less imminent than the difficulty the court system faced if the website was taken down. For months, the news team worked to get the site taken down, taking the matter all the way to the Texas State Supreme Court. In every instance along the way they were told that the only person who could remove the site was the circuit clerk.
One person held all of the authority to protect or compromise tens of thousands of people’s identities, and for more than six months after calling attention to the issue the citizens’ information was still readily available. Lawyers, judges, and court officials at every level were horrified by the data that was ripe for any identity thief to take, but nothing could be done to remove it without the clerk’s approval.
Luckily, the nightmare has now ended and the county website uses a new database provider that requires personal information to log in, as well as a fee to use the site. That should go a long way towards stopping identity thieves from sifting through the publicly available data. But this should also serve as another eye-opening event in the ongoing fight against data breaches and identity theft.
One of the most important things any citizen can do to protect his or her identity is to ask important questions about where the data will go and how it will be protected. Even the clerk in question had no idea that the data was available for everyone, and she was in full agreement that something had to be done. She simply reacted to the potential delay of court proceedings instead of the citizens’ security.
There are times that your sensitive data is required, such as in a court filing. But too often, we provide our data to people who don’t actually need it, like a doctor’s office or our children’s schools. Any time you’re expected to turn over your personal identifiable information, inquire about security. Don’t wait for an investigative news team to tackle the issue, and if your sensitive information isn’t absolutely required, then don’t hand it over.